Malware Infects Network Hard Drives

The malware "Mal/Miner-C" infects Internet-exposed Seagate Central Network Attached Storage (NAS) devices, and from there takes over connected computers to mine for cryptocurrency. About 77% of all drives have been infected.

Slashdot thread.

EDITED TO ADD (9/13): More news.

Posted on September 12, 2016 at 7:01 AM • 20 Comments

Comments

Knot MeeSeptember 12, 2016 8:04 AM

For some reason, my Seagate wasn't affected. Yipee! Of course, I don't do bitcoin, either.

One chronic problem with reports of horrible new exploits is they never tell you what to do to stop it, or figure out whether you have it.

Sophos has a good technical write up on it. Check this registry key for bad things first:

Registry Keys Created:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

If there is anything shakey there, delete it.

Full write up at:


https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Miner-C/detailed-analysis.aspx

richard richardsonSeptember 12, 2016 11:20 AM

I can't remember where my old seagate went, it's somewhere :)

I mostly use SSDs ever since they became affordable.

albertSeptember 12, 2016 2:23 PM

@keiner,

"The dog are bite'n* my leg."

Couldn't resist,

Sorry...

-----
* are biting
. .. . .. --- ....

Seventy Percent Of Statistics Are Made UpSeptember 12, 2016 2:24 PM

The precision of the 77% statistic seems to be the interesting thing here. Are these drives effectively an always-online botnet that can be measured that accurately, that easily? I think I see a problem...

TatütataSeptember 12, 2016 4:23 PM

I will generalize from five or six different brands of devices purchased over the last 15 years: all NAS are crap, both hardware and software-wise. :-(

If you can retail a complete laptop beginning at 100-200$, what the hell is so difficult in packaging a functional microcontroller and a hard disk in a box and sell it at a fair price? Finding people with brains?

Clive RobinsonSeptember 12, 2016 5:20 PM

@ Mike The Goat,

How's the horn? Still tootaling along...

I trust things are well at your end?

AlexSeptember 12, 2016 8:08 PM

I guess I could blame myself for not hovering over the link and seeing one of the links was a PDF, but considering this is "security" site, perhaps a written warning would be a good idea.

ACSeptember 13, 2016 12:08 AM

Alex:

I guess I could blame myself for not hovering over the link and seeing one of the links was a PDF, but considering this is "security" site, perhaps a written warning would be a good idea.

Why do you think the URL text imposes any restriction on content at that URL? If you want a warning before opening PDFs, it is your responsibility to use a browser that provides it.

The alternative is for "security" sites to somehow know your, and everone else's, preferences.

AlexSeptember 13, 2016 12:23 PM

"The alternative is for "security" sites to somehow know your, and everone else's, preferences."

@AC Yes... putting (PDF) next to the link is too much trouble.

ACSeptember 13, 2016 11:16 PM

Alex:

Indicating file type like that is from the days when nearly all users would need to select a specific action (e.g. "Save As") rather than a normal click. It was for convenience; hopefully those days are long past, for most users.

However, you stated there are security reasons and that such text is a "warning". What security implications did you have in mind?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.